From 6e6f152eff4f9446221c64f96bd1ba310410721b Mon Sep 17 00:00:00 2001 From: Joan Touzet Date: Fri, 2 Mar 2018 19:12:56 -0500 Subject: Prevent access to Fauxton on node-local port (5986) Will help stop people shooting themselves in the foot and/or using node-local CouchDB as their "main" CouchDB port. Closes #1198 --- src/chttpd/test/chttpd_csp_tests.erl | 81 ++++++++++++++++++++++++++++ src/couch/src/couch_httpd_misc_handlers.erl | 25 +-------- src/couch/test/couchdb_csp_tests.erl | 82 ----------------------------- src/couch/test/couchdb_vhosts_tests.erl | 25 --------- 4 files changed, 83 insertions(+), 130 deletions(-) create mode 100644 src/chttpd/test/chttpd_csp_tests.erl delete mode 100644 src/couch/test/couchdb_csp_tests.erl diff --git a/src/chttpd/test/chttpd_csp_tests.erl b/src/chttpd/test/chttpd_csp_tests.erl new file mode 100644 index 000000000..e86436254 --- /dev/null +++ b/src/chttpd/test/chttpd_csp_tests.erl @@ -0,0 +1,81 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(chttpd_csp_tests). + +-include_lib("couch/include/couch_eunit.hrl"). + + +setup() -> + ok = config:set("csp", "enable", "true", false), + Addr = config:get("chttpd", "bind_address", "127.0.0.1"), + Port = mochiweb_socket_server:get(chttpd, port), + lists:concat(["http://", Addr, ":", Port, "/_utils/"]). + +teardown(_) -> + ok. + + + +csp_test_() -> + { + "Content Security Policy tests", + { + setup, + fun chttpd_test_util:start_couch/0, fun chttpd_test_util:stop_couch/1, + { + foreach, + fun setup/0, fun teardown/1, + [ + fun should_not_return_any_csp_headers_when_disabled/1, + fun should_apply_default_policy/1, + fun should_return_custom_policy/1, + fun should_only_enable_csp_when_true/1 + ] + } + } + }. + + +should_not_return_any_csp_headers_when_disabled(Url) -> + ?_assertEqual(undefined, + begin + ok = config:set("csp", "enable", "false", false), + {ok, _, Headers, _} = test_request:get(Url), + proplists:get_value("Content-Security-Policy", Headers) + end). + +should_apply_default_policy(Url) -> + ?_assertEqual( + "default-src 'self'; img-src 'self' data:; font-src 'self'; " + "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", + begin + {ok, _, Headers, _} = test_request:get(Url), + proplists:get_value("Content-Security-Policy", Headers) + end). + +should_return_custom_policy(Url) -> + ?_assertEqual("default-src 'http://example.com';", + begin + ok = config:set("csp", "header_value", + "default-src 'http://example.com';", false), + {ok, _, Headers, _} = test_request:get(Url), + proplists:get_value("Content-Security-Policy", Headers) + end). + +should_only_enable_csp_when_true(Url) -> + ?_assertEqual(undefined, + begin + ok = config:set("csp", "enable", "tru", false), + {ok, _, Headers, _} = test_request:get(Url), + proplists:get_value("Content-Security-Policy", Headers) + end). diff --git a/src/couch/src/couch_httpd_misc_handlers.erl b/src/couch/src/couch_httpd_misc_handlers.erl index ddc3d64b0..e2fc9f2fc 100644 --- a/src/couch/src/couch_httpd_misc_handlers.erl +++ b/src/couch/src/couch_httpd_misc_handlers.erl @@ -61,30 +61,9 @@ handle_file_req(#httpd{method='GET'}=Req, Document) -> handle_file_req(Req, _) -> send_method_not_allowed(Req, "GET,HEAD"). -handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) -> - "/" ++ UrlPath = couch_httpd:path(Req), - case couch_httpd:partition(UrlPath) of - {_ActionKey, "/", RelativePath} -> - % GET /_utils/path or GET /_utils/ - CachingHeaders = [{"Cache-Control", "private, must-revalidate"}], - EnableCsp = config:get("csp", "enable", "false"), - Headers = maybe_add_csp_headers(CachingHeaders, EnableCsp), - couch_httpd:serve_file(Req, RelativePath, DocumentRoot, Headers); - {_ActionKey, "", _RelativePath} -> - % GET /_utils - RedirectPath = couch_httpd:path(Req) ++ "/", - couch_httpd:send_redirect(Req, RedirectPath) - end; handle_utils_dir_req(Req, _) -> - send_method_not_allowed(Req, "GET,HEAD"). - -maybe_add_csp_headers(Headers, "true") -> - DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; " - "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", - Value = config:get("csp", "header_value", DefaultValues), - [{"Content-Security-Policy", Value} | Headers]; -maybe_add_csp_headers(Headers, _) -> - Headers. + send_error(Req, 410, <<"no_node_local_fauxton">>, + ?l2b("The web interface is no longer available on the node-local port.")). handle_all_dbs_req(#httpd{method='GET'}=Req) -> diff --git a/src/couch/test/couchdb_csp_tests.erl b/src/couch/test/couchdb_csp_tests.erl deleted file mode 100644 index 5eb33f909..000000000 --- a/src/couch/test/couchdb_csp_tests.erl +++ /dev/null @@ -1,82 +0,0 @@ -% Licensed under the Apache License, Version 2.0 (the "License"); you may not -% use this file except in compliance with the License. You may obtain a copy of -% the License at -% -% http://www.apache.org/licenses/LICENSE-2.0 -% -% Unless required by applicable law or agreed to in writing, software -% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -% License for the specific language governing permissions and limitations under -% the License. - --module(couchdb_csp_tests). - --include_lib("couch/include/couch_eunit.hrl"). - --define(TIMEOUT, 1000). - - -setup() -> - ok = config:set("csp", "enable", "true", false), - Addr = config:get("httpd", "bind_address", "127.0.0.1"), - Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)), - lists:concat(["http://", Addr, ":", Port, "/_utils/"]). - -teardown(_) -> - ok. - - -csp_test_() -> - { - "Content Security Policy tests", - { - setup, - fun test_util:start_couch/0, fun test_util:stop_couch/1, - { - foreach, - fun setup/0, fun teardown/1, - [ - fun should_not_return_any_csp_headers_when_disabled/1, - fun should_apply_default_policy/1, - fun should_return_custom_policy/1, - fun should_only_enable_csp_when_true/1 - ] - } - } - }. - - -should_not_return_any_csp_headers_when_disabled(Url) -> - ?_assertEqual(undefined, - begin - ok = config:set("csp", "enable", "false", false), - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). - -should_apply_default_policy(Url) -> - ?_assertEqual( - "default-src 'self'; img-src 'self' data:; font-src 'self'; " - "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", - begin - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). - -should_return_custom_policy(Url) -> - ?_assertEqual("default-src 'http://example.com';", - begin - ok = config:set("csp", "header_value", - "default-src 'http://example.com';", false), - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). - -should_only_enable_csp_when_true(Url) -> - ?_assertEqual(undefined, - begin - ok = config:set("csp", "enable", "tru", false), - {ok, _, Headers, _} = test_request:get(Url), - proplists:get_value("Content-Security-Policy", Headers) - end). diff --git a/src/couch/test/couchdb_vhosts_tests.erl b/src/couch/test/couchdb_vhosts_tests.erl index dfac73cb3..2562a0653 100644 --- a/src/couch/test/couchdb_vhosts_tests.erl +++ b/src/couch/test/couchdb_vhosts_tests.erl @@ -46,14 +46,6 @@ setup() -> couch_db:ensure_full_commit(Db), couch_db:close(Db), - test_util:with_process_restart(couch_httpd, fun() -> - config:set("httpd_global_handlers", "_utils", - "{couch_httpd_misc_handlers, handle_utils_dir_req, <<\"" - ++ ?TEMPDIR - ++ "\">>}" - ) - end), - Addr = config:get("httpd", "bind_address", "127.0.0.1"), Port = integer_to_list(mochiweb_socket_server:get(couch_httpd, port)), Url = "http://" ++ Addr ++ ":" ++ Port, @@ -76,7 +68,6 @@ vhosts_test_() -> [ fun should_return_database_info/1, fun should_return_revs_info/1, - fun should_serve_utils_for_vhost/1, fun should_return_virtual_request_path_field_in_request/1, fun should_return_real_request_path_field_in_request/1, fun should_match_wildcard_vhost/1, @@ -122,22 +113,6 @@ should_return_revs_info({Url, DbName}) -> end end). -should_serve_utils_for_vhost({Url, DbName}) -> - ?_test(begin - ok = config:set("vhosts", "example.com", "/" ++ DbName, false), - ensure_index_file(), - case test_request:get(Url ++ "/_utils/index.html", [], - [{host_header, "example.com"}]) of - {ok, _, _, Body} -> - ?assertMatch(<<"", _/binary>>, Body); - Else -> - erlang:error({assertion_failed, - [{module, ?MODULE}, - {line, ?LINE}, - {reason, ?iofmt("Request failed: ~p", [Else])}]}) - end - end). - should_return_virtual_request_path_field_in_request({Url, DbName}) -> ?_test(begin ok = config:set("vhosts", "example1.com", -- cgit v1.2.1